On Wed, Nov 28, 2018 at 1:54 AM Michael Niedermayer <mich...@niedermayer.cc> wrote: > > Fixes: Timeout > Fixes: > 11318/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSMPEG4V1_fuzzer-5710884555456512 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > --- > libavcodec/msmpeg4dec.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/libavcodec/msmpeg4dec.c b/libavcodec/msmpeg4dec.c > index 457a37e745..d278540ec2 100644 > --- a/libavcodec/msmpeg4dec.c > +++ b/libavcodec/msmpeg4dec.c > @@ -412,6 +412,9 @@ int ff_msmpeg4_decode_picture_header(MpegEncContext * s) > { > int code; > > + if (get_bits_left(&s->gb) * 8LL < (s->width+15)/16 * ((s->height+15)/16)) > + return AVERROR_INVALIDDATA; > +
Please add a comment so such lines why these magic values where choosen, and an explanation in the commit message that explains the proof that these are an absolute limit and no valid frame could ever be smaller would be appreciated. - Hendrik _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
